Method to ensure safety integrity of a microprocessor over a distributed network for automotive applications

1. A processor integrity system in a vehicle, the system comprising: m main processor modules that control at least m respective functions of the vehicle, where m is an integer greater than one; and a monitoring processor module that controls at least one function of the vehicle, that communicates with the m main processor modules over a distributed vehicle network, that selectively transmits a first query to at least one of the m main processor modules over the distributed vehicle network, that receives a first answer from at least one of the m main processor modules over the distributed vehicle network, that selectively transmits a second query to at least one of the m main processor modules if the first answer does not match a first expected answer, that receives a second answer from the at least one of the m main processor modules over the distributed vehicle network, and that sends a request for remedial action for at least one of the m main processor modules to a remedial action module if the second answer does not match a second expected answer, wherein the first query and the second query are different and the first expected answer and second expected answer are different.

2. The system of claim 1 wherein the monitoring processor module compares the first answer to the first expected answer to verify the integrity of the at least one of the m main processor modules, and wherein the first expected answer is based on the first query.

3. The system of claim 2 wherein the monitoring processor module increments a counter if either one of the first answer and the second answer does not match the first expected answer or the second expected answer, respectively, and decrements the counter if either one of the first answer and the second answer does match the first expected answer or the second expected answer, respectively.

4. The system of claim 3 wherein the monitoring processor module transmits the second query if the counter does not exceed a predetermined limit and the first answer does not match the first expected answer.

5. The system of claim 4 wherein the monitoring processor module initiates a remedial action if the counter exceeds a predetermined value.

6. The system of claim 1 wherein the monitoring processor module receives the first query and the second query from the at least one of the m main processor modules over the distributed vehicle network.

7. The system of claim 1 wherein the monitoring processor module adjusts the first query after verifying the integrity of the at least one of the m main processor modules.

8. The system of claim 1 wherein the monitoring processor module transmits at least one of the first query and the second query to at least two of the m main processor modules.

9. The system of claim 1 wherein the main processor module transmits a different query to each of the m main processor modules.

10. A processor integrity method in a vehicle, the method comprising: controlling at least m respective functions of the vehicle using m respective main processor modules, where m is an integer greater than one; controlling at least one function of the vehicle using a monitoring processor module; communicating with the m main processor modules over a distributed vehicle network using the monitoring processor module; selectively transmitting a first query from the monitoring processor module to at least one of the m main processor modules over the distributed vehicle network; receiving a first answer from the at least one of the m main processor modules at the monitoring processor module over the distributed vehicle network; comparing the first answer to a first expected answer that is based on the first query to verify the integrity of the at least one of the m main processor modules using the monitoring processor module; transmitting a second query to the at least one of the m main processor modules if the first answer does not match the first expected answer, wherein the first query and the second query are different; receiving a second answer from the at least one of the m main processor modules over the distributed vehicle network; and sending a request for remedial action for the at least one of the m main processor modules to a remedial action module if the second answer does not match a second expected answer, wherein the first expected answer and the second expected answer are different.

11. The method of claim 10 further comprising incrementing a counter using the monitoring processor module if either one of the first answer and the second answer does not match the first expected answer or the second expected answer, respectively, and decrementing the counter using the monitoring processor module if either one of the first answer and the second answer does match the first expected answer or the second expected answer, respectively.

12. The method of claim 11 further comprising transmitting the second query if the counter does not exceed a predetermined limit and if the first answer does not match the first expected answer.

13. The method of claim 12 further comprising initiating a remedial action using the monitoring processor module if the counter exceeds a predetermined value.

14. The method of claim 10 further comprising receiving the first query and the second query at the monitoring processor module from the at least one of the m main processor modules over the distributed vehicle network.

15. The method of claim 10 further comprising adjusting the first query using the monitoring processor module after verifying the integrity of the at least one of the m main processor modules.

16. The method of claim 10 further comprising transmitting at least one of the first query and the second query to at least two of the m main processor modules using monitoring processor module.

17. The method of claim 10 further comprising transmitting a different query to each of the m main processor modules using the main processor module.